transforms: add Yara support

event/event.go

@@ -174,15 +174,25 @@ func DestinationHardwareAddr(addr net.HardwareAddr) Option {
 	}
 }
 
+// Protocol returns an option for setting the protocol.
+// This is redundant if SourceAddr is used.
+func Protocol(p string) Option {
+	return func(m Event) {
+		m.Store("protocol", p)
+	}
+}
+
 // SourceAddr returns an option for setting the source-ip value.
 func SourceAddr(addr net.Addr) Option {
 	return func(m Event) {
 		if ta, ok := addr.(*net.TCPAddr); ok {
 			m.Store("source-ip", ta.IP.String())
 			m.Store("source-port", ta.Port)
+			m.Store("protocol", "tcp")
 		} else if ua, ok := addr.(*net.UDPAddr); ok {
 			m.Store("source-ip", ua.IP.String())
 			m.Store("source-port", ua.Port)
+			m.Store("protocol", "udp")
 		}
 	}
 }
@@ -195,7 +205,6 @@ func DestinationAddr(addr net.Addr) Option {
 			m.Store("destination-port", ta.Port)
 		} else if ua, ok := addr.(*net.UDPAddr); ok {
 			m.Store("destination-ip", ua.IP.String())
-			m.Store("destination-port", ua.Port)
 		}
 	}
 }
@@ -263,13 +272,6 @@ func Service(v string) Option {
 	}
 }
 
-// Protocol sets the protocol of the event
-func Protocol(v string) Option {
-	return func(m Event) {
-		m.Store("protocol", v)
-	}
-}
-
 // Message returns an option for setting the payload value.
 // should this be just a formatter? eg Bla Bla {src-ip}
 func Message(format string, a ...interface{}) Option {

listener/canary/tcp_handlers.go

@@ -69,7 +69,6 @@ func (c *Canary) DecodeHTTP(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryHTTP,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Custom("http.method", request.Method),
@@ -114,7 +113,6 @@ func (c *Canary) DecodeElasticsearch(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryElasticsearch,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Custom("http.method", request.Method),
@@ -161,7 +159,6 @@ func (c *Canary) DecodeHTTPS(conn net.Conn) error {
 	options := []event.Option{
 		CanaryOptions,
 		EventCategoryHTTPS,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),
@@ -237,7 +234,6 @@ func (c *Canary) DecodeMSSQL(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryMSSQL,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),
@@ -262,7 +258,6 @@ func (c *Canary) DecodeTelnet(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryTelnet,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),
@@ -287,7 +282,6 @@ func (c *Canary) DecodeRedis(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryRedis,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),
@@ -312,7 +306,6 @@ func (c *Canary) DecodeRDP(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryRDP,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),
@@ -337,7 +330,6 @@ func (c *Canary) DecodeFTP(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryNBTIP,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),
@@ -362,7 +354,6 @@ func (c *Canary) DecodeNBTIP(conn net.Conn) error {
 	c.events.Send(event.New(
 		CanaryOptions,
 		EventCategoryNBTIP,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),
@@ -387,7 +378,6 @@ func (c *Canary) DecodeSMBIP(conn net.Conn) error {
 	options := []event.Option{
 		CanaryOptions,
 		EventCategorySMBIP,
-		event.Protocol("tcp"),
 		event.SourceAddr(conn.RemoteAddr()),
 		event.DestinationAddr(conn.LocalAddr()),
 		event.Payload(buff[:n]),

plugins/README.md

@@ -0,0 +1,9 @@
+This folder contains some plugin examples, each in its directory.
+
+To use the plugins, compile them, then move the .so file to the data directory for your honeytrap install (for example, /home/peter/.honeytrap):
+
+    $ cd plugins/udp-ampl-detector
+    $ go build -buildmode=plugin udp-ampl-detector.go # For smaller plugin sizes, append "-ldflags '-s'"
+    $ cp udp-ampl-detector.so /home/peter/.honeytrap
+
+To write plugins, write them under "package main" in a separate directory, and make sure to export the correct function(s) - Transform for transforms, Service for services, and so on. For more details, refer to the documentation.

plugins/plugins.go

@@ -0,0 +1,69 @@
+/*
+* Honeytrap
+* Copyright (C) 2016-2017 DutchSec (https://dutchsec.com/)
+*
+* This program is free software; you can redistribute it and/or modify it under
+* the terms of the GNU Affero General Public License version 3 as published by the
+* Free Software Foundation.
+*
+* This program is distributed in the hope that it will be useful, but WITHOUT
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+* FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+* details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* version 3 along with this program in the file "LICENSE".  If not, see
+* <http://www.gnu.org/licenses/agpl-3.0.txt>.
+*
+* See https://honeytrap.io/ for more details. All requests should be sent to
+* licensing@honeytrap.io
+*
+* The interactive user interfaces in modified source and object code versions
+* of this program must display Appropriate Legal Notices, as required under
+* Section 5 of the GNU Affero General Public License version 3.
+*
+* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+* these Appropriate Legal Notices must retain the display of the "Powered by
+* Honeytrap" logo and retain the original copyright notice. If the display of the
+* logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
+* must display the words "Powered by Honeytrap" and retain the original copyright notice.
+ */
+package plugins
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"plugin"
+)
+
+func Get(name, symName, folder string) (sym interface{}, found bool, e error) {
+	filename := path.Join(folder, name+".so")
+	if _, err := os.Stat(filename); err != nil {
+		e = fmt.Errorf("Couldn't find dynamic plugin: %s", err.Error())
+		return
+	}
+	found = true
+	dynamicPl, err := plugin.Open(filename)
+	if err != nil {
+		e = fmt.Errorf("Couldn't load dynamic plugin: %s", err.Error())
+		return
+	}
+	sym, err = dynamicPl.Lookup(symName)
+	if err != nil {
+		e = fmt.Errorf("Couldn't lookup symbol \"%s\": %s", symName, err.Error())
+		return
+	}
+	return
+}
+
+func MustGet(name, symName, folder string) interface{} {
+	out, found, err := Get(name, symName, folder)
+	if !found {
+		panic(fmt.Errorf("Plugin %s not found", name))
+	}
+	if err != nil {
+		panic(err.Error())
+	}
+	return out
+}

plugins/udp-ampl-detector/udp-ampl-detector.go

@@ -0,0 +1,40 @@
+/*
+This is an example of a Yara-based plugin.
+
+It matches a few known patterns for UDP amplification attacks.
+*/
+
+package main
+
+import (
+	"github.com/honeytrap/honeytrap/event"
+	"github.com/honeytrap/honeytrap/transforms"
+	"github.com/honeytrap/honeytrap/transforms/yara"
+	"github.com/op/go-logging"
+)
+
+var log = logging.MustGetLogger("udp-ampl-detector")
+
+func Transform() transforms.TransformFunc {
+	matcher, err := yara.NewMatcherFrom("/honeytrap/assets/yara-custom/amplification.yara")
+	if err != nil {
+		panic(err)
+	}
+	return func(state transforms.State, e event.Event, send func(event.Event)) {
+		matches, err := matcher.GetMatches(e)
+		if err != nil {
+			log.Error(err.Error())
+			return
+		}
+
+		// Send the original event, as well as an additional event for each match
+		send(e)
+		for _, match := range matches {
+			send(event.New(
+				event.Sensor("yara-custom"),
+				event.Category("amplification"),
+				event.Type(match.Rule),
+			))
+		}
+	}
+}

pushers/channel.go

@@ -31,8 +31,12 @@
 package pushers
 
 import (
+	"fmt"
+
 	"github.com/BurntSushi/toml"
+
 	"github.com/honeytrap/honeytrap/event"
+	"github.com/honeytrap/honeytrap/plugins"
 )
 
 // Channel defines a interface which exposes a single method for delivering
@@ -65,12 +69,48 @@ func WithConfig(c toml.Primitive) func(Channel) error {
 	}
 }
 
-func Get(key string) (ChannelFunc, bool) {
-	d := Dummy
+// Gets a static or dynamic channel implementation, giving priority to static ones.
+func Get(name, folder string) (ChannelFunc, error) {
+	staticCh, ok := channels[name]
+	if ok {
+		return staticCh, nil
+	}
+
+	// todo: add Lua support (issue #272)
+	sym, found, err := plugins.Get(name, "Channel", folder)
+	if !found {
+		return nil, fmt.Errorf("Channel %s not found", name)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return sym.(ChannelFunc), nil
+}
 
-	if fn, ok := channels[key]; ok {
-		return fn, true
+func MustGet(name, folder string) ChannelFunc {
+	out, err := Get(name, folder)
+	if err != nil {
+		panic(err.Error())
 	}
+	return out
+}
+
+type tokenChannel struct {
+	Channel
+
+	Token string
+}
 
-	return d, false
+// Send delivers the slice of PushMessages and using the internal filters
+// to filter out the desired messages allowed for all registered backends.
+func (mc tokenChannel) Send(e event.Event) {
+	mc.Channel.Send(event.Apply(e, event.Token(mc.Token)))
+}
+
+// TokenChannel returns a Channel to set token value.
+func TokenChannel(channel Channel, token string) Channel {
+	return tokenChannel{
+		Channel: channel,
+		Token:   token,
+	}
 }